Stop Using Hijacked Passwords That Google Already Told You Were Bad

In February, Google did us lazy bums a favour by adding a Password Checkup extension for Chrome. The way it works is the extension will send you a warning to change your password whenever logging-in to a site using a username or password that’s previously been leaked in a third-party data breach. This is all good, except for the part where Google conducted a study and found that a good chunk of people who installed the extension straight up ignored the warnings and kept reusing old, hijacked passwords.

The study, titled “Protecting accounts from credential stuffing with password breach alerting,” looked at data from 670,000 users and 21 million logins from February 5 to March 4 – the first month that the extension was available. Google found that 1.5 percent of logins involved breached credentials and that 26 percent of warnings resulted in 82,761 users picking out a new password that was at least as strong as the original. Good on those users.

However, the study also found that 81,368 users, or 25.7 percent, just continued to use bad passwords. To make matters worse, Google says those breached passwords were reused on financial, government, and email accounts. It was also found to be most prevalent on shopping, news, and entertainment sites where you can store credit card details. Another troubling tidbit – users were 2.5 times more likely to reuse bad passwords on less popular sites.

As for why a significant percentage of users still used hijacked passwords? Google posited that perhaps users reused passwords on sites or accounts they didn’t view as important enough to go through the effort of resetting a password. It also noted that shared accounts may have contributed to the number, as an individual may not feel comfortable changing a new password that multiple people use. The report also indicated that some users may have just decided to not go through the trouble because the extension does not automate password resetting.

Which is bad. If you care enough to download the Password Checkup extension, you should care enough to change your password when it warns you. The data studied also only accounts for a small sample of users on the internet, meaning it’s likely the number of people reusing bad, hijacked passwords is higher. But it’s okay. You still have time to get a password manager, enable two-factor authentication on your important accounts, and brush up on security hygiene 101.

Above all, the report shows just how hard it is to get people to handle their account security issues even when they’ve shown that they care about the subject and have had a specific issue pointed out to them.